Sunday, April 8, 2018

schwab

schwab

ESPP

A ESPP invest period is often 6 months, each month an amount is invested.

When the company buys the shares for you, you do not owe any taxes. You are exercising your rights under the ESPP. You have bought some stock. So far so good.

When you sell the stock, the discount that you received when you bought the stock is generally considered additional compensation to you, so you have to pay taxes on it as regular income.

If you hold the stock for less than a year before you sell it, any gains will be considered compensation and taxed as such. If you hold the shares for more than one year, any profit will be taxed at the usually lower capital gains rate.

For me, espp shares are often sold Feb or Aug after the 15th day.

Stock options

http://eac.schwab.com -> Accounts -> History -> Equity Awards website -> My Equity Awards -> History and Statements -> Date Range = All:

sell 205 ESPP shares

  • Subscription: Date = 08/15/2017; FMV = $36.81
  • Purchase: Date = 02/14/2014; FMV = 48.38; Price = MIN(Subscription FMV,Purchase FMV) * 0.85 = 31.2885
  • Sale: Date = 02/20/2018; Price = $48.95
  • capital gain = (48.38 - 31.2885) * 205 = 3503.76 USD = 3503.76 * 1.2562 cad = 4401.42 cad
  • Taxes are deducted by two pay rolls's ESP-ER(02/28/2018 and 03/15/2018), each time with gain 2200.71
  • My personal fed-tax rate is 26%, my personal prov-tax rate is 14.7%: 2200.71 * 0.407 = 895.69.
  • As Sale Price, 48.95, is not equal with 48.38, so should further report tax gain when file tax.

sell 196 OPTIONs

  • Award Names : 00002066 00003118
  • Shares: 26 170
  • Award Price: $3.735 $8.43
  • Sale Price: $24.191
  • Sale Date: 07/23/2014
  • Award Date: 01/28/2009; 02/10/2010
  • Exercise Cost = 3.735 * 26 + 8.43 * 170 = 97.11 + 1433.1 = 1530.21
  • Taxes: 894.34
  • Gross Proceeds: 196 * 24.191 - possible commissions and fees = 4741.436 - 9.046 = 4,732.39
  • assume capital gain = 4,732.39 - 1530.21 = 3202.18, taxable gains = 3202.18 * 1/2 = 1601.09
  • //taxable gains is 50% if span years.
  • then tax rate = 894.34 / 1601.09 = 55.9%
  • Net Proceeds = 2,307.84 = Gross Proceeds - Taxes - Exercise Cost = 4,732.39 - 1530.21 - 894.34

RSU

An example of an RSU grant is the easiest way to understand the concept. Let's say Sue works for ABC Corp and was awarded 300 RSUs on May 1, 2011.

50 award will vest every 6 months. Sue's first batch of 50 units of restricted stock vested on November 1, 2011. ABC was trading at $10 and Sue's employer sold 23 shares(46%) and remitted the withholding tax to CRA. Sue's second batch of 50 units of restricted stock vested on May 1, 2012. ABC was trading at $12 and Sue's employer again sold 23 shares and remitted the withholding tax to CRA. In both cases, her employer included $500 and $600 in employment income and $230 and $276 in income tax deducted in Sue's T4 for 2011 and 2012 respectively(so sue pay income tax for $270 and $324, for year 2011 and 2012).

On May 15, 2012, ABC hit $15 and Sue sold the 54 shares of ABC Corp that she holds. Sue's adjusted cost base is $11 (27 shares acquired at $10 and 27 shares acquired at $12). Since she sold for $15, her capital gains are $216, which she would declare when filing her 2012 tax return in Schedule 3, if no deduction from paychecks | payrolls.

RSU is too complex for tax, later never consider RSU.

Tuesday, March 27, 2018

An example of MBR

//sectors_per_track = 56


[511-512](1fe~1ff): 55 AA
[447-510] 1BE - 1FD : partition table
partition 1(0x0):
 .bt0 = 0x80 =  Active
/* .bt1 = disk_hdr_idx = 01
 .bt2&0x3f = sector_id = 01
 ((.bt2&0xc0) >> 6) + (.bt3 << 2) = cylinder_idx = 0
 .bt4: file system id( NTFS = 0x07 )
 .dw8: sector_addr = 0x38// byte_addr = 0x7000

partition 2(0x1):
 .bt0 = 0 = not Active/*
 disk_hdr_idx = 0
 sector_id = 1
 cylinder_idx = 1023*/
 file system id = 0f = extend partition
 .dw8: 42911400 // byte_addr = 42911400 * 512 = 0x51D8D5000 ,
 //extend partition can have its own partition table, it's 0x51D8D51be here
 //here we only have one logic partition inside, it's D:
 D.Active = false
 D.byte_addr = 0x7000
 //byte_addr is relative, the abs byte_addr is 0x51D8Dc000, at this addr we can find the (logic) partition's boot record

Tuesday, March 13, 2018

evaluation of VMAttack IDA plugin

evaluation of VMAttack IDA plugin

My evaluation for this plugin is: it's too young but promising.

I firstly introduce the plugin, then evaluate it from two aspects: Automated and Manual Analysis.

Introduction

VMAttack is an IDA plugin which generates and analyses trace log of PE. If trace is not validly produced, the plugin is useless.

Trace generation is automatic and upon completion it will produce a success notification in IDAs output window.

Traversed paths will be colored in a shade of blue, where a darker shade represents a higher number of traversals. We can get a global distribution of traced code with a glance.

Initially it shows system and customer calls and args, this is useful when the PE has explicit function boundaries and give gross view. VMAttack can STEP over system funcs while extract args, which save sapce for trace.

As the best way to understand this plugin is to practice it, so I also collected ALL the tools and writed installer( install.bat ) for praticing.

The demo samps include the obfuscated binary and source binary of an add function:

addvm_3AE2BABAA4920BEF3E466F34B0075FFB.exe
addvm_B4E34E39CFDD13E65D070E9FB9717620.vmp.exe

They are available at https://github.com/anatolikalysch/VMAttack/tree/master/Example/addvmp . In the team discuss, I send an email titled as 'decode vmprotect is possible?', that email tell constuction of that vmp sample detailed, debug it with my mimic program, then practice VMAttack after perform install.bat. by this way it's easy to understand this plugin, in this way, we can better evaluate it.

Automated Analysis

Automated Analysis extract useful informations from the trace log automatically or semi-automatically. It includes Input / Output Analysis, Clustering Analysis, Grading Snalysis, Dynamic Trace Optimization, Static deobfuscate.

Input / Output Analysis

The input/output analysis could provide leads as to how the input arguments of the VM function are used and whether there is a connection between function input and function output.

evaluation: for realworld samples, connection between function input and output can be exposed, but not obviously, not very clear.

Clustering Analysis

If a group of insts executed more than one time, they may be taken as cluster. For example, if Cluster Heuristic Threshold set as 3, then if an address is encountered more than twice, it's taken as start of a cluster.

evaluation:Clustering is a good feature, it can folder and reduce trace by a lot, especially Greedy Clustering option is set. VMAttack can quickly remove unnecessary clusters. It can also rollback wrongly removed clusters. If basic block detection was not deactivated in the settings, the clusters themselves are additionally subdivided into basic blocks.The basic block description is a good summary, further more, instructions whose computations are simply overridden are not displayed, which is good feature of in-block deobfuscation.

Grading Analysis

Each inst, block of insts, cluster of insts has different importance. The grade of an inst is affected by Memory usage Importance, Clustering Importance, Input/Output Importance, and so on.

At the end of the grading analysis the now graded trace will be presented in the grading viewer. The trace can now be filtered either by double clicking a grade or via context menu where the user will be prompted to input the grade threshold to display.

evaluation:Clustering Analysis is useful. For example, if you decide Input/Output Analysis is very very important, then inst having largest grade should be the inst do the add op on two adders.

Dynamic Trace Optimization

Dynamic Trace Optimizations which make the trace easier to read.

evaluation:Foldering constants, Folding not used operand are good feature of deobfuscations.

Static deobfuscate

The static deobfuscate function tries to statically determine the instructions that will be executed by the byte code in the provided virtual machine function. The semi-automatic version of this analysis tries to determine all necessary values(later will introduce the values) automatically.

evaluation:refer to the Manual Analysis version of Static deobfuscate for the evaluation.




Manual Analysis

most Manual Analysis features are depending on following VM Context model:

  • Code Start - the byte code start, vm_insts, exactly vm_insts_start
  • Code End - the byte code end, vm_insts_end
  • VM Addr - the start address of the virtual machine function(Protect Func, for short, pf);
  • Base Addr - the base address of the jump table(the dispatch table, or , insts_engine), for vmp:
    .vmp0:00404339 8A 06                                         mov     al, [esi]
    .vmp0:0040433B 0F B6 C0                                      movzx   eax, al         ; op code
    .vmp0:0040433E 83 C6 01                                      add     esi, 1
    .vmp0:00404341 FF 24 85 9C 43 40 00                          jmp     dword ptr ds:inst_engines[eax*4]
    

There are three ways to decide VM Context:

  • by the Settings menu entry
  • by Manual_Analysis->VM_Context's 'find statically' or 'find dynamically' entry.

Following are so called Manual Analysis features:

  • Find VM Function(Protect Func, pf) Input Parameter, the plugin will print "BABE5 , OFFSET WORD_40489A , AFFE1 “, BABE5 and AFFE1 are passed from Protected Func(pdf), WORD_40489A are vm_insts.
    evaluation: useful
  • Find VM Function Output Parameter, for the demo sample addvmp:
    .text:0040102E                              ; .text:00401000
    .text:0040102E                              ; .text:00401000 55             push    ebp
    .text:0040102E                              ; .text:00401001 89 E5          mov     ebp, esp
    .text:0040102E                              ; .text:00401003 8B 55 08       mov     edx, [ebp+arg_0]
    .text:0040102E                              ; .text:00401006 8B 45 0C       mov     eax, [ebp+arg_4]
    .text:0040102E                              ; .text:00401009 01 D0          add     eax, edx
    .text:0040102E                              ; .text:0040100B 5D             pop     ebp
    .text:0040102E                              ; .text:0040100C C3             retn
    edi:0
    eax:16ABC6 //affected
    ebp:28FF88
    esp:28FF60
    edx:AFFE1 //affected
    ebx:7EFDE000
    esi:0
    ecx:76728E8A
    

    evaluation: very useful
  • Find Virtual Reg to Reg mapping, for the demo sample addvmp:
    .vmp0:0040432C 89 E5                                         mov     ebp, esp        ; vms_top
    .vmp0:0040432E 81 EC C0 00 00 00                             sub     esp, 0C0h       ; vmd , vm data, virtual registers
    
    edi:28FF3C
    eax:28FF58
    ebp:28FF4C
    edx:28FF50
    ebx:28FF44
    esi:28FF48
    ecx:28FF54
    

    evaluation: not checked, I will not trust this feature
  • Follow Virtual Register: This provides a manual interface to the register tracking functionality.
    evaluation: not useful, will not use this feature
  • The address count reads in a trace and returns in IDAs output window the ratio: (Address (disasm): frequency of occurrence)
    evaluation: not useful; except when used as counter of condition breakpoint

Except for previous features, the plugin provide an "Deobfuscate from..." menu, it seems it try to deobfuscate vm byte code, but I believe this feature is not realized.




decode_vmprotect_blog

It may sound weird that I say decoding vmprotect instead of emulating it. Considering a packer as simple as UPX, we take it as archiver and decompress it; well, SOMETIMES, for vmprotect samples, decoding is also an option.

Last week I was asked to give an evaluation of IDA plugin VMAttack( https://github.com/anatolikalysch/VMAttack ), under this project there is a vmprotect sample addvm.vmp (md5 = B4E34E39CFDD13E65D070E9FB9717620 ); by analysing it, I found decoding vmprotect sample is possible when:

  1. The protector is weakly obfuscating the sample.
  2. can find ProtectedFunc(s).
  3. can find ProtectFunc(s)

With condition 1, WE can easily find ProtectedFunc(s) and ProtectFunc(s). After found ProtectFunc, vm inst stubs can also be found, group of vm insts then can be decoded and restored one by one to its ProtectedFunc( note: ProtectedFunc is inplaced protected ).

fundamentals of vmprotect

There are researchers in the internet researching vmprotect, by following them, one may become a vmprotecter, or we have option to analyse it ourself.

If you have analysed vmprotect, or you wanna follow internet researchers, simply skip this section.

Given a program, vmprotect can protect many funcs|slices of the code. For here, I am assuming there is only one ProtectedFunc, for short, pdf:

.text:0040102E                              ; .text:00401000
.text:0040102E                              ; .text:00401000 55             push    ebp
.text:0040102E                              ; .text:00401001 89 E5          mov     ebp, esp
.text:0040102E                              ; .text:00401003 8B 55 08       mov     edx, [ebp+arg_0]
.text:0040102E                              ; .text:00401006 8B 45 0C       mov     eax, [ebp+arg_4]
.text:0040102E                              ; .text:00401009 01 D0          add     eax, edx
.text:0040102E                              ; .text:0040100B 5D             pop     ebp
.text:0040102E                              ; .text:0040100C C3             retn
.text:0040102E                              ; .text:0040100C                sub_401000      endp

protection is performed in an inplace-hack way. inplace-hack begins with an inline hook which hook to protect func caller(pfc). the values of changed remain bytes(here, 8 bytes) are explained by ProtectFunc (for short, pf):

.text:00401000 E9 F2 38 00 00                                jmp     pfc
.text:00401005 00 00 00 00                   pdf_remains     dd 0
.text:00401009 4F 0D 1D                                      db 4Fh, 0Dh, 1Dh
.text:0040100C 2E                                            db 2Eh

pfc simply push vm insts and call pf:

004048F7                               pfc:
.vmp0:004048F7 68 9A 48 40 00                                push    offset vm_insts
.vmp0:004048FC E8 13 FA FF FF                                call    ProtectFunc
.vmp0:004048FC                               ; ---------------------------------------------------------------------------
.vmp0:00404901

pf firstly accept CPU registers(if you research into the pf, you found it's not saving them, but accepting them, by push then pop to data slots), then set stack, data, then run vm insts one by one:

.vmp0:00404314                               ProtectFunc     proc near
.vmp0:00404314                               arg0_insts_at_40489A= dword ptr  4
.vmp0:00404314 50                                            push    eax
.vmp0:00404315 51                                            push    ecx
.vmp0:00404316 52                                            push    edx
.vmp0:00404317 55                                            push    ebp
.vmp0:00404318 56                                            push    esi
.vmp0:00404319 53                                            push    ebx
.vmp0:0040431A 9C                                            pushf
.vmp0:0040431B 57                                            push    edi             ;
.vmp0:0040431C 57                                            push    edi
.vmp0:0040431D FF 35 05 10 40 00                             push    pdf_remains
.vmp0:00404323 68 00 00 00 00                                push    0 ; next inst(here is the first) offset, some said the 0 here will be imagebase fixup, it's reasonable but I am not sure.

.vmp0:00404328 8B 74 24 30                                   mov     esi, [esp+2Ch+arg0_insts_at_40489A] ; insts
.vmp0:0040432C 89 E5                                         mov     ebp, esp        ; vms_top
.vmp0:0040432E 81 EC C0 00 00 00                             sub     esp, 0C0h       ; vmd num of bytes
.vmp0:00404334 89 E7                                         mov     edi, esp        ; vmd
.vmp0:00404336
.vmp0:00404336                               loc404336_inst_to_next:
.vmp0:00404336 03 75 00                                      add     esi, [ebp+0]
.vmp0:00404339
.vmp0:00404339                               loc404339_query_inst_engine:
.vmp0:00404339 8A 06                                         mov     al, [esi]
.vmp0:0040433B 0F B6 C0                                      movzx   eax, al         ; op code
.vmp0:0040433E 83 C6 01                                      add     esi, 1
.vmp0:00404341 FF 24 85 9C 43 40 00                          jmp     dword ptr ds:inst_engines[eax*4]

...

protected inst 0(push ebp):
vm inst 0
vm inst 1
...
vm inst i

protected inst 1(mov ebp, esp):
vm inst i+1
vm inst i+2
...

details of vmprotect

I have created minic source code to tell the details of vmprotect, the minic is not full support of all vm insts, but made small and suitable for this sample. the mimic contains following modules:

  • vm stack
  • vm data
  • vm insts
  • vm context
  • vmp

Also, a windbg trace log will be attached, debugging the source code and refering the windbg log, one may understand vmprotect better.

AT LAST , VERY IMPORTANT, IF VM INSTS INSIDE FOLLOWING MIMIC SRCS CAN BE IDENTIFIED, WE CAN THEN FULLY DECODE THIS PDF(PROTECTED FUNC):

    pdf_401000_push_ebp();
    pdf_401001_mov_ebp_esp();
    pdf_401003_mov_edx_adder0();
    pdf_401006_mov_eax_adder1();
    pdf_401009_add_eax_edx();
    pdf_40100B_pop_ebp();
    pdf_40100C_ret();

Thanks.

Sunday, March 4, 2018

tuition_education__and__textbook_amounts

tuition here is regarding job training.

The education amount was a tax credit based on the number of months you spent studying full-time or part-time in a qualifying educational program during the tax year.

If you were eligible for the education amount, you were also eligible for the textbook credit.

residency_status

When preparing your tax return, you may need to refer to other guides, or complete some schedules and other forms that have more detailed information. To get any other documents that you need, go to Previous-year forms and publications listed by number and by title: https://www.canada.ca/en/revenue-agency/services/forms-publications/previous-year-forms-publications/forms-publications-listed-reference-number.html

this document are extracting info mainly from tax package for BC :
https://www.canada.ca/en/revenue-agency/services/forms-publications/previous-year-forms-publications/archived-previous-year-tax-packages/archived-general-income-tax-benefit-package-2013/archived-british-columbia-general-income-tax-benefit-packages-2013.html :

  • General Income Tax and Benefit Guide - 2013
  • Schedule 1 - Federal Tax
  • Schedule 2 - Federal Amounts Transferred From Your Spouse or Common-law Partner
  • Schedule 3 - Capital Gains (or Losses) in 2013(For us, we do not invest, or buy sell stocks this year)
  • Schedule 5 - Amounts for Spouse or Common-Law Partner and Dependants
  • Schedule 6 - Working Income Tax Benefit - British Columbia

  • Provincial Worksheet
  • Form BC428 - British Columbia Tax
  • Form BC479 - British Columbia Credits
  • Schedule BC(S2) - Provincial Amounts Transferred From Your Spouse or Common-Law Partner

view_stock_option_history

from www.schwab-global.com , found a link tagged as "log in", input user id then entered the logged-in state.

from the left top drop-list, select Equity Awards Center.

At Equity Awards Center, select My Equity Awards's History_and_Statements tab.